Conference Notes and Best Practices Release 1.3 ... - Read the Docs
Conference Notes and Best Practices Release 1.3 ... - Read the Docs
Conference Notes and Best Practices Release 1.3 ... - Read the Docs
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Conference</strong> <strong>Notes</strong> <strong>and</strong> <strong>Best</strong> <strong>Practices</strong>, <strong>Release</strong> <strong>1.3</strong><br />
Terminology<br />
• Advisory<br />
• Low<br />
• Medium<br />
• High<br />
• Critical<br />
Advisory<br />
• Issues that <strong>the</strong> security team wishes to communicate but carry no specific required action.<br />
• May contain recommended actions, but no specific response is required.<br />
Low<br />
• Issues that are expected to be resolved, but have low risk, or low consequences. Should not interrupt<br />
day to day operations.<br />
Medium<br />
• Carry some risk, but have low impact. May have someone work on.<br />
High<br />
• Carry substantial risk, publicly disclosed issues. Will probably interrupt several developers from multiple teams.<br />
Critical<br />
• Threaten <strong>the</strong> integrity of <strong>the</strong> company. Great financial risk or o<strong>the</strong>rwise “sky is falling” level issues.<br />
• “All h<strong>and</strong>s on deck”<br />
Assessment<br />
• Start with OWASP for risk rating<br />
• Risk = Likelihood x Impact<br />
• How likely is that this issue will be discovered <strong>and</strong> exploited?<br />
Examples of Vulnerabilities<br />
• http://bit.ly/13ds9X0 (PostgreSQL)<br />
• Likelyhood: threat agent<br />
• Calculate Threat<br />
• Calculate your impact<br />
• Matrix of likelyhood <strong>and</strong> impact<br />
• This case came out to High level.<br />
34 Chapter 3. <strong>Conference</strong>s